Anjuna Policy Manager Server boot sequence
AMD SEV-SNP on Azure
There are two phases of the Anjuna Policy Manager running on AMD SEV-SNP on Azure:
Initial deployment
Initialize the Anjuna Policy Manager, encrypt unsealing keys, and upload them to AKV
Subsequent deployments
Pull encrypted unsealing keys from AKV, decrypt them, unseal the Anjuna Policy Manager
Initial deployment
When you deploy the Anjuna Policy Manager (APM) for the first time, you need to do the following:
Build the enclave image
Define a Microsoft Azure Attestation endpoint policy allowing your APM enclave to perform Azure Key Vault Secure Key Release
Create an HSM-backed Azure Key Vault master key, and attach it to the Microsoft Azure Attestation endpoint
Protect the TLS certificate and private key with a password, and encrypt the password using the master key
Encrypt the Storage Account access key with the master key
After that, you can run the APM, which will automatically do the following:
Securely retrieve the master key using an Azure Key Vault Secure Key Release with Microsoft Azure Attestation
Retrieve the password protected TLS certificate and private key, and retrieve the encrypted password
Decrypt the password using the master key, and open the TLS certificate and private key with it
Retrieve the encrypted Storage Account access key, and decrypt it using the master key
Configure and Start the APM Server
Initialize the APM; decrypt its encrypted storage backend locally
As a one-time initialization step, encrypt the unsealing keys using the master key, and upload them to AKV

Subsequent deployments
For a subsequent deployment of the APM, all you need to do is start the Anjuna Policy Manager Confidential Container.
The APM will execute the following procedure automatically:
Securely retrieve the master key using an Azure Key Vault Secure Key Release with Microsoft Azure Attestation
Pull the encrypted unsealing keys, password protected TLS certificate and TLS private key, encrypted TLS password and Storage Account access key, and decrypt them using the master key
Configure and Start the APM Server
Unseal the APM; decrypt the encrypted storage backend locally